Forked from b/117113549:

We've observed that packets such as STUN and MDNS with different source addresses have been sent out over a cellular connection, which can be problematic as the cellular network may treat that as an IP source violation and drop the connection. 

chromeos-nat-init/nat.conf currently masquerade outgoing packets only if they are marked. We currently have packet marking in the PREROUTING stage, which doesn't cover packets generated by local processes.

We need to first identify the sources that may generate the aforementioned packets. We can either mark them accordingly, but most likely, we will need to fully masquerade outgoing packets on certain network interfaces to ensure no packet escapes. CL:1296033 modifies chromeos-nat-init/nat.conf to masquerade packets going out wwan* interface as a stop-gap solution for b/117113549. A better solution needs to be implemented in shill to set up the masquerade rules based on connection type.